|
|
IDENTIFICATION SERVEUR : 10.14.20.76 - CLIENT : 3.221.159.255 |
|
Voir le sujet précédent :: Voir le sujet suivant |
Auteur |
Message |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 3062 Localisation: Le Chesnay, France
|
Posté le: Sam 21 Avr 2018, 16:17 Sujet du message: Superkey (Bytes of Learning, 1985) |
|
|
#993 - At every corner. With every step. You strain your eyes and your ears. Through endless castles and countless chambers. Where is the jeweled throne? You search. But only find - what you least expect. Another keyboard learning program. A program that was interestingly protected!
Disk structure
This is a nearly standard DOS 3.3 single-sided disk image. Note that the program does not boot on the IIgs due to a ROM check. The crack now runs on the IIgs
Protection type
The protection lies in using a nibble after the epilog marker and using it as a decyphering value for the denibblize routine. There are two values stored in the zero page:
Code: |
$FE has always the value 3
$FF has the value Sector * 16 EOR Track
|
The second protection is in RAM. A LOT, yes a lot, of code is encoded with an EOR value. It is always the same routine, used plenty of times, so there are here to slow down the work of the pirate. See the changes to apply to the sectors, pfew, that was long!
How to copy
Boot my copy disk and launch Advanced Demuffin and think about how to perform the copy. The original RWTS cannot be used as it puts data in the text area. There is room at $300, why not call a routine when entering the RWTS at $BD00 to store values at $FE and $FF, return. Why not patch the denibblize routine to ensure you get the right data? I'll give some clues in another message of that thread.
How to normalize
Boot my copy disk and launch Disk Fixer. Perform the following changes to the disk (and there are a lot):
Code: |
T0/S0/50: 9D -> 5D
T0/S0/5E: 9D -> 5D
T0/S0/6C: 9D -> 5D
T0/S0/7A: 9D -> 5D
T0/S0/97: 9D -> 5D
T0/S0/A5: 9D -> 5D
T0/S0/B3: 9D -> 5D
T0/S0/C1: 9D -> 5D
T0/S0/CF: 9D -> 5D
T0/S0/DD: 9D -> 5D
T0/S4/6F:4C -> 2C /* Bypass ROM check
T0/S4/73:78 -> EA /* Remove interrupt stop
T0/S5/44: 9D -> 5D
T0/S5/52: 9D -> 5D
T0/S5/60: 9D -> 5D
T0/S8/93: 9D -> 5D
T0/S8/A1: 9D -> 5D
T0/S8/AF: 9D -> 5D
T0/S8/BD: 9D -> 5D
T0/S8/CB: 9D -> 5D
T0/S8/D9: 9D -> 5D
T0/S8/E7: 9D -> 5D
T0/S8/F5: 9D -> 5D
T0/S9/20: 9D -> 5D
T0/S9/2E: 9D -> 5D
T0/S9/3C: 9D -> 5D
T0/S9/4A: 9D -> 5D
T0/S9/58: 9D -> 5D
T0/S9/72: 9D -> 5D
T0/S9/80: 9D -> 5D
T0/S9/8E: 9D -> 5D
T0/S9/9C: 9D -> 5D
T0/S9/AA: 9D -> 5D
T0/S9/B8: 9D -> 5D
T0/S9/C6: 9D -> 5D
T0/S9/D4: 9D -> 5D
T0/S9/E5: 9D -> 5D
T0/S9/F3: 9D -> 5D
T0/SA/01: 9D -> 5D
T0/SC/12:45 FF 45 FE -> 49 00 EA EA /* patch denibblize routine
T0/SC/E0:EA BD -> 18 60 /* patch epilog check
|
The disk image is available at http://www.brutaldeluxe.fr/crack/
Reboot and... enjoy,
LoGo
4/2018
Derničre édition par toinet le Sam 21 Avr 2018, 16:24; édité 1 fois |
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 3062 Localisation: Le Chesnay, France
|
Posté le: Sam 21 Avr 2018, 16:21 Sujet du message: |
|
|
Allow sectors to be read... Set the right value at zero page $FF
Code: |
Patch the RWTS entry point:
BD00:20 00 03 EA
0300:84 48 85 49
The code you have to adapt at $0304, use the indirect address at $48..$49 to get the track and sector values:
00E0:0A ASL
00E1:0A ASL
00E2:AA TAX
00E3:BD 02 B6 LDA $B602,X
00E6:A8 TAY
00E7:BD 03 B6 LDA $B603,X
00EA:F0 01 BEQ $00ED
00EC:C8 INY
00ED:98 TYA
00EE:18 CLC
00EF:6D 0C B7 ADC $B70C
00F2:85 FE STA $FE
00F4:A9 00 LDA #$00
00F6:6D 0D B7 ADC $B70D
00F9:85 FF STA $FF
Patch the denibblize routine:
00/B8C2: A0 00 LDY #00
00/B8C4: A2 56 LDX #56
00/B8C6: CA DEX
00/B8C7: 30 FB BMI B8C4 ;-05=
00/B8C9: B9 00 BB LDA BB00,Y
00/B8CC: 5E 00 BC LSR BC00,X
00/B8CF: 2A ROL
00/B8D0: 5E 00 BC LSR BC00,X
00/B8D3: 2A ROL
00/B8D4: 49 03 EOR #03
00/B8D6: 45 FF EOR FF
00/B8D8: 91 3E STA (3E),Y
00/B8DA: C8 INY
00/B8DB: D0 E9 BNE B8C6 ;-17=
00/B8DD: 60 RTS
00/B8DE: A0 20 LDY #20
00/B8E0: 88 DEY
00/B8E1: F0 61 BEQ B944 ;+61=
00/B8E3: BD 8C C0 LDA C08C,X
00/B8E6: 10 FB BPL B8E3 ;-05=
|
If nobody gives the answer of the code to add at $0304, I'll write it there. |
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 3062 Localisation: Le Chesnay, France
|
Posté le: Sam 21 Avr 2018, 16:22 Sujet du message: |
|
|
The original denibblize routine
Code: |
0000:A0 00 LDY #$00
0002:A2 56 LDX #$56
0004:CA DEX
0005:30 FB BMI $0002
0007:B9 00 04 LDA $0400,Y
000A:5E 00 05 LSR $0500,X
000D:2A ROL
000E:5E 00 05 LSR $0500,X
0011:2A ROL
0012:45 FF EOR $FF : key one
0014:45 FE EOR $FE ; key two
0016:91 3E STA ($3E),Y
0018:C8 INY
0019:C4 26 CPY $26
001B:D0 E7 BNE $0004
001D:60 RTS
001E:A0 20 LDY #$20
0020:88 DEY
0021:F0 61 BEQ $0084
0023:BD 8C C0 LDA $C08C,X
0026:10 FB BPL $0023
0028:49 D5 EOR #$D5
002A:D0 F4 BNE $0020
|
|
|
Revenir en haut de page |
|
 |
toinet Site Admin
Inscrit le: 15 Juin 2007 Messages: 3062 Localisation: Le Chesnay, France
|
Posté le: Sam 21 Avr 2018, 16:23 Sujet du message: |
|
|
The original routine that reads the extra nibbles to define the value at $FF:
Code: |
00CD:BD 8C C0 LDA $C08C,X
00D0:10 FB BPL $00CD
00D2:C9 DE CMP #$DE
00D4:D0 AE BNE $0084
00D6:EA NOP
00D7:BD 8C C0 LDA $C08C,X
00DA:10 FB BPL $00D7
00DC:C9 AA CMP #$AA
00DE:D0 A4 BNE $0084
00E0:EA NOP
00E1:BD 8C C0 LDA $C08C,X
00E4:10 FB BPL $00E1
00E6:20 F1 BC JSR $BCF1
00E9:20 F1 BC JSR $BCF1
00EC:10 00 BPL $00EE
00EE:BD 8C C0 LDA $C08C,X
00F1:29 F3 AND #$F3
00F3:85 FF STA $FF
00F5:18 CLC
00F6:60 RTS
|
|
|
Revenir en haut de page |
|
 |
|
|
Vous ne pouvez pas poster de nouveaux sujets dans ce forum Vous ne pouvez pas répondre aux sujets dans ce forum Vous ne pouvez pas éditer vos messages dans ce forum Vous ne pouvez pas supprimer vos messages dans ce forum Vous ne pouvez pas voter dans les sondages de ce forum
|
|